Anonymous iframe demo

Introduction

Anonymous iframe give developers a way to load documents in third party iframe using new and ephemeral context. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted.

This way, developers using COEP can now embed third party iframes that do not.

See specification.

Table of content
  1. Introduction
  2. Feature flags
  3. Feature enabled
  4. window.anonymouslyFramed attribute
  5. Cookies
  6. COEP embedding rules

Feature flags

Chrome

google-chrome-beta --enable-blink-features=AnonymousIframe

Starting from version 106.0.5249.21, it can also be experimented by website using an origin trial.

Firefox

TODO

Safari

TODO

Feature enabled?

Status =

window.anonymouslyFramed attribute

The window.anonymouslyFramed reflects whether the document was loaded inside an anonymous iframe, by its parent...

The attribute was renamed several time: #1, #7. Old versions of Chrome were using a different name.

<iframe> <iframe anonymous>

...or one of its ancestors

<iframe anonymous>

Cookies

Inside an anonymous iframe, documents are loaded from a new and ephemeral context. In particular, it is different from the one associated with its origin. It is also different for every new top-level document.

<iframe > <iframe > <iframe anonymous> <iframe anonymous> Please the page, and verify anonymous iframe's cookies are gone.

COEP embedding rules

Cross-Origin-Embedder-Policy (COEP) embedding rules are recursive. If a document uses COEP, then its children must also use COEP.

Waiting for third party to deploy COEP is painful for developers. This is often out of their control.

Anonymous iframe lift this restrictions, at the cost of loading the document from a fresh context everytime.

<iframe> with COEP:require-corp